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The Myth of Twelve More Bytes 

Security on the Post-Scarcity Internet 


IPv6 
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The Myth of 12 More Bytes 
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The Myth of 12 More Bytes 
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HTTP 



ARP 


► 

► 


Internet Protocol 

Link Layer 
Physical Layer 


Come Join the Party 
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Stateless Address Auto-Configuration 


• Give Yourself a local address in your subnet 

• Prefix: fe8o:0:0:0: : 

• IPv6 Address: fe8o::fo3C:9iff:fe96:d927 


• Ask what network you're in 

• example: 2600:3003:: 


• Take your MAC Address, use it in the prefix 

• MAC: f2:3C:9l:96:d9:27 

• IPv6 Address: 26oo:3C03::fo3C:9lff:fe96:d927 


P ri va cy Ad d resses iSEC R ar t l ?cfo r up 

• Using your MAC in the last 64 bits identifies you, globally, to 
every website you visit, no matter where you are 

• Super-Mega Evercookie 

• RFC 4941 Privacy Addresses 

• Generate a random/64 address 

• Prefer it for outgoing communications 


DHCPv 6 

• Conceptually the same as DHCP 

• Clients can get more than IP Address 

• Can also get DNS Servers 
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'he Default For Windows 


Don't Know, Need to Fill in: 
Getting an Address 

SLAAC? 

DHCPv6 or Both? 

DNS Servers 


RDNSS in NDP? 
Or DHCPv6? 
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ICMPv6 


Critical Infrastructure 
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SLAAC: 
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configuration 

L _ A 

r ^ 

NDP: Neighbor 
Discovery (ARP) 
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MLD: Multicast 
Listener 
Discovery 
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ICMPv 6 Protocols 


Router Discovery 
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New Protocols 

New Protocol Vulnerabilities 


(Same Tactics) 


NDP 


Router Discovery 
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NDP 


Router Discovery 
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NDP 


Router Discovery 



iSECpartners® 

part of nccgroup 



NDP 
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NDP Spoofing is the New ARP Spoofing 




ICMPv 6 Protocols 


Duplicate Address Detection 
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ICMPv6 Protocols 


Router Discovery 
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ICMPv6 Protocols 


Duplicate Address Detection 
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Extension Headers 


Pain in the Firewall 
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IPv6 Packet Format iSECpcn-tners 


Version 

Traffic Class 

Flow Label 

Payload Length 

Next Header 

Hop Limit 


Source Address 


Destination Address 


Data 


















IPv6 Packet Format iSECpcn-tners 


Version 

Traffic Class 

Flow Label 

Payload Length 

Next Header 

Hop Limit 


Source Address 


Destination Address 



Extension 


Next Header 

Length 

Options / Padding 


Options / Padding 


Data 


























Extension Headers + Fragmentation 
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Stateless Filtering is Impossible 
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Translation &Transition Mechanisms 


They're Such Nice Guys. 


Translation &Transition 


Transition 


IPv6 Island 

I 

IPv4 Internet 

I 

IPv6 Island 
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Translation 


IPv6 < — > IPv4 


Transition 
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6t04 

IPv6 Island to IPv4 Network to IPv6 Island 
Relies on Nice people to run border routers 

6rd or IPv6 Rapid Deployment 

6t04 but instead of nice people, it's an ISP running it, applicable only to their customers 

Teredo 

Host supporting IPv6 sits on an IPv4 Network 

Magic NAT-punching IPv6 -in-IPv4 to aTeredo Service Provider (Can be open, can be 
paid) 

Allows an IPv6 Server to sit in an IPv4 Network 

ISATAP 

Host supporting IPv6 sits on an IPv4 Network 
Can talk to IPv6 Internet, but not the reverse IPv6 


Translation 


NAT-PT 

Old, Deprecated 

IPv4 or 6 Clients to IPv6 or 4 Servers 

Has External IPv4 addresses for Internal IPv6 Servers 

Breaks a lot of stuff 

NAT64 

IPv6 Clients to IPv4 Servers 

Fakes a IPv6 Address for the IPv4 Server 

I talk to the NAT64 device, it forwards to IPv4 
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And More 


Time Limits =( 
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IPv6 Enumeration Mechanisms 
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Internet-Based 

MAC Address Guessing using OUI 

24-26 Bits 

Sequential Address (DHCPv6 or Sysadmin) 

8-16 bits 

Reverse Mapping ip6.arpa 

Very Efficient 



Limited to Local Network 

Multicast Echo nmap 

0 Bits 

ICMPv6 Parameter Problem nmap 

0 Bits 

Multicast Listener Discovery nmap 

0 Bits 

SLAAC Fake-out nmap 

0 Bits 



Remember to Remove the Things iSEC R«oTQ® r J 

We're Actually Talking About 


• Multicast! 

• Listener Discovery 

• Listener Enumeration 


Address Autoconfirguarion 
-SLAAC 


• Router Discovery 

• Router Enumeration 

• Node Querying 

• UDP/TCP Checksum Calculation 

• Transition Mechanisms 

• 6t04 

• 6rd 

• 4rd 

• Teredo 

• ISATAP 

• 6in4 

• 6over4 


• Neighbor Discovery 
Protocol 

• Duplicate Address 
Detection 

• Router, DHCP, and DNS 
Discovery 

• Redirection 

• SeND 

• New Features in DHCPv6 



DNS(SEC) 
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DNSSEC Chain 
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EverythinglsSigned iSECp P « LtQSfl 

$ dig +dnssec nic.cz +short 
217.31.205.50 

A 5 2 1800 20120719160302 20120705160302 
40844 nic.cz. 

IWGHqGORGOOjh4UuZnwxlP2qoCGYDOcHLhJBIQVJm 

h6+0Fskr6Sh2dgj 

E6BHQJQJ9HuzSDCHOvJkH98QkK4ZUgMCLSN5DHuVc 

mJ/J/g5VMjeWS3i 

NmLQVmcvpizwfYVo7cuCglOteazB2QH7JRp+/KhR+Q 
+ P8tNpDZKe2kEN VMQ= 


Everything Is Signed 
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$ dig +dnssec nic.cz 
;; ANSWER SECTION: 

nic.cz. 1797 IN A 217.31.205.50 

nic.cz. 1797 IN RRSIG A 5 2 1800 20120719160302 20120705160302 40844 nic.cz. IWGHqGORGOOjh4UuZnwxlP2qoCGYDOcHLhJBIQVJmh6 + OFskr6Sh2dgj E6BHQJQJ9HuzSDCHOvJkH98QkK4ZUgMCLSN5DHuVcmJ/J/ 

g5VMjeWS3i NmLQVmcvpizwfYVo7cuCglOteazB2QH7JRp+/KhR+Q+P8tNpDZKe2kEN VMQ= 


;; AUTHORITY SECTION: 


nic.cz. 

nic.cz. 

nic.cz. 


1797 IN NS a.ns.n 

1797 IN NS b.ns.n 

1797 IN NS d.ns.n 


c.cz. 

c.cz. 

c.cz. 


nic.cz. 1797 IN RRSIG NS 5 2 1800 20120719160302 20120705160302 40844 nic.cz. aAWmFODbEaHEt6NxuaIu82wWiL+9jMMH + EvBx4jDS5ViydnSV/lb+hLr dEZIVgBOSG5VdGKZ2y7cx8fGF8w9/9UlFioVowFfPOdOnZ5ZGAS9dNxm 

CzHVO+lLiiYOKKSUvPHq9y+thOOwfgkwkFEiofvvRtcklrh8fGfZCFL8 4JY= 


;; ADDITIONAL SECTION: 

a. ns.nic.cz. 1797 IN A 194.0.12.1 

b. ns.nic.cz. 1797 IN A 194.0.13.1 

d.ns.nic.cz. 1797 IN A 193.29.206.1 

a. ns.nic.cz. 1797 IN AAAA 2001:678:f::l 

b. ns.nic.cz. 1797 IN AAAA 2001:678:10::1 

d.ns.nic.cz. 1797 IN AAAA 2001:678:1::! 


a. ns.nic.cz. 1797 IN RRSIG A 5 4 1800 20120719160302 20120705160302 40844 nic.cz. Aj/zemlwTy2FM8 + XDZPIDSKhcoKtKSSySugtqrQ8YZx/nOe7i3l/4H3D XW7cQO/NDllpW5VR 

+ lRLbsQuovhAcQRtJj47WTkxYwWa4GdWH327aNn2 aklCdCOz6F8bGqZ2Af9EGqIZY+0Rk22FIqZc2qLpNoukI0Hfc0a6OP82 9/E = 

b. ns.nic.cz. 1797 IN RRSIG A 5 4 1800 20120719160302 20120705160302 40844 nic.cz. XZVfOrEBglRljlKHGXt/2lx76s5EbBqfe9a2tU3eyOOMnudsKiPulVM4 +cBLIgVDUsZMhOaX7i/qHaLAaTa98CucKIQKiwsVVG9kQEWV+OmMrZE3 

01xjVd6KNGq77jDyEVz2l6yiTIt/8U7KHDtM3haUXITeyUGJZcJvZ3Ta IOc= 


d.ns.nic.cz. 1797 IN RRSIG A 5 4 1800 20120719160302 20120705160302 40844 nic.cz. nFN5NWMibodVQYurwwdOILIQbEWR0hSH+6OJDGRnsCpGGXiWr9VdeAhM XFWehN/uVa6a 

+TpwJgnJFYkPzDVrVaFxTGdgNqqTFNcVtwLupbvc6QqO Nh6/0yKxbFEkK7n4R0m9Akwnr0BXVkdkpwy3xvZZGIMvfJMq/AKESqlD t3A= 

a. ns.nic.cz. 1797 IN RRSIG AAAA 5 4 1800 20120719160302 20120705160302 40844 nic.cz. ghUpNuAs+8F08OfPucZg3/P+dOqQRdTYHoZVH8toyEcFqSTU3+yIp7HB +09hStK2RASMLi8lonzASZ2YbQRPZXmoBN 

+zEAZi6s3PIf3EFx7V388A UMowRyTyehlqvf7fHnOIIHDc2KlL4TZ5ZFuUg2PVNBaqcSSdIlmLDHsX AUM = 

b. ns.nic.cz. 1797 IN RRSIG AAAA 5 4 1800 20120719160302 20120705160302 40844 nic.cz. MxlTDSe0Dkfyzbf9qdDj0Cs0oWrMpzkRsN8g4mfiluWMuYIHTdUuu9d/ ec27we65x5B/ 

SJJ6+Lb40A030BuuzJyvpuPNvpXhlfFCLZuvNuFPbhs9 MbptJmuEKjutraaA8jnxgKlKLT4kB+Nekf2IrwSC3oxAoyn5wXZJF0Fu /6o= 


d.ns.nic.cz. 1797 IN RRSIG AAAA 5 4 1800 20120719160302 20120705160302 40844 nic.cz. AIRg88oIb4ARlQYeu5J0VBd6pjgeHI8vWAvJzy7m7O6Mmpn + KldrHu4M gz7vOYPWZK8qNSvE/ 

IDm7GZ3vERbVvprCwsvzaZCTb8h2wolVxPx9tVA GQLo2yPTtX9gUqNBMRr/xS7CwyJLVNy3ZJTrQ3G8HyYOyRUVf/SubxPr srl= 



EverythinglsSigned iSECp P « LtQSfl 

•Where is att.com? 

• 10.4.50.60 

• RRSIG( u isecpartners.com", ATT-Key ZSK ) 

• What are ATT's Keys? 

• Zone Signing Key AE363FF13468D83 . 

• Key Signing Key 563ADF348143 . 

• RRSIG( U . ", ATT-Key KSK ) 

• Can I trust ATT-Key K ? 

• RRSIG( u ATT-Key KSK Fingerprint", .com-Key ZSK ) 





Signatures Are Large ^art of nCCQfOUp 

Protocol Length Info 


DNS 

DNS 

DNS 

77 Standard 
259 Standard 
and ar d 

query 

query 

query 

A nic. cz 

response A 217.31.205.50 RRSIG 
DNSKEY nic.cz 


O : 




• DNS UDP Limit is 512 

• EDNS UDP Limit is 4096 

• DNSTCP has no limit 


• 24 Residential and SOHO routers were tested 

• 18 of 24 Devices tested couldn't support EDNS 

• 23 of 24 Devices tested couldn't supportTCP 


• http://www.icann.ora/en/groups/ssac/documents/sac-oc;2-en.pdf 










Everything Is Signed - Including No's 
Where is doesntexist.att.com? 

There is no doesntexist.att.com 

RRSIG( u There is no doesntexist.att.com", ATT-Key ZSK ) 


Denial of Service iSECportners 

Where is doesntexisti.att.com? 

There is no doesntexisti.att.com 

RRSIG( u There is no doesntexisti.att...", ATT-Key ZSK ) 

Where is doesntexist2.att.com? 

There is no d0esntexist2.att.com 

RRSIG( u There is no doesntexist2.att..." / ATT-Key ZSK ) 

Where is d0esntexist3.att.com? 

There is no d0esntexist3.att.com 

RRSIG('There is no doesntexist3.att..." / ATT-Key ZSK ) 


Sign a Single Response? 
Where is doesntexist.att.com? 

No Record 

RRSIG("No Record", ATT-Key ZSK ) 
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Man in the Middle 


att.com 


RRSIGO'No Record "):□ 
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Doesntexist.att.com 


RRSIG("No Record") 


I 






















Sign The Ranges iSEC R^tQ?o r J 

Where is doesntexist.att.com? 

There is nothing between admin.att.com and keyserver.att.com 
RRSIG('There is nothing between...", ATT-Key ZSK ) 


Called NSEC 


Sign The Ranges iSEC R 5 ? rt n «®up 

Where is doesntexist.att.com? 

There is nothing between admin.att.com and 

keyserver.att.com 

RRSIG( u There is nothing between...", ATT-Key ZSK ) 







Hash, then SignThe Ranges 
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Where is doesntexist.att.com? 

doesntexist.att.com -> hash it -> da739562. 

There is nothing between 3847629.... and 1^572645.... 
RRSIG('There is nothing between...", ATT-Key ZSK ) 


Called NSEC3! 
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'Put It In DNSSEC' 


Shoving Stuff in DNSSEC iSECpartners 



K 



Example.com? 



r 1/ 

/I 



10.0.1.200 



\r 











Shoving Stuff in DNSSEC 
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Example.com? 



10.0.1.200 
















Shoving Stuff in DNSSEC 
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Example.com? 


iQ 


10 . 0 . 1.200 


Example.com? What's your SSL Certificate? 

in > ^T1 


C I 


I 10.0.1.200, 


\J J 


L ... t 





































Shoving Stuff in DNSSEC iSECpartners 


Example.com? What's your SSL Certificate? 



w 

< J y\ 

10.0.1.200. 


— 

■ • ^* 

n 

■ ■ ■ 

if 



ClientHello 


ServerHello, 



ServerHelloDone 









































Shoving Stuff in DNSSEC 
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Bootstrapping Security 
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SSL Certs (DANE) 
Product Update Checks 
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SSL Certs (DANE) 
Product Update Checks 
SSH 

ssh -o "VerifyHostKeyDNS yes" 
RFC 4255 

OpenPGP 

gpg --auto-key-locate pka 

S/MIME 

draft-hoffman-dane-smime-oi.txt 
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DPF Crazy Awesome 
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gTLDs 


.com .org .net 
.biz .museum .coop 
.whatever .you .like 
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DRAFT - New gTLD Program - Evaluation Process 


evaluation fees 


ICANN starts 
"check 
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( Application period 
opens 


1 ■Application Comment & Early Warning 




Periods Open - 60 days f 


Background 


| - Objection Period Opens ■ 7 months 


Screening 



mt 


Application - Module 1 


Initial Evaluation - Module 2 

Extended Evauation ■ Module 2 

Dispute Resolution Proceedings - 
Module 3 


String Contention - Module 4 


Transition to Delegation - Module 5 



Objection filing period closes 
Receipt of GAC Advice expected 


The application can be 
objected to based upon any 
combination ot the four 
objection grounds at the 
time. Additionally, the 
application may face multiple 
objections on the same 
objection ground. 
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A Little History 


iSECpartners® 

part of nccgroup 


• Jon Postel basically used to run the Internet by himself 


• ICANN was charted in 1998 to: 

• Diversify management of the Internet 

• Introduce democratic, "multi-stakeholder" model 

• Preempt UN Action 


POSTEL 25 FEB 82 


















































































Where ICANN Ended Up 
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ICANN Multi-Stakeholder Model 


Board of Directors 


President and CEO 


ICANN Staff 

MDR-6S 
SV-11 
DC-9 
Sydney-5 
Brussels - 5 
Other US- 11 
Other non-US -14 


Regional Internet 
Registries 

AfnNIC 

APNIC 

ARIN 

LACNIC 

RIPENCC 


gTLD Regtstnes 
gTLD Registrars 
IP interests 
ISPs 

Businesses 
Non-Commercial 
Interests 


ccTLD registries 

( us, uk, au, .it, 
be. .ill, etc.) 


Per ICANN 
Bytaws. Article 
VII. section 2 


,,r v 


Technical 

Liaison 

Group 


[ Governmental 

G 

1 Advisory 

A 

^ Committee 



Internet 
Engineering 
Task Force 


Internet Users 
(At-Large 
Advisory 
Committee, 
in conjunction 
with RALOs) 

^ ALAC j 








1_ 

r ^ 

Security & 

Stability 

Advisory 

Committee 

r ^ 

Root Server 
System 
Advisory 
Committee 


SSAC 

A 

RSSAC 

L. A 



























Where ICANN Ended Up iSECpartners 


ccNSO 


GNSO Council 

Stephane van Gelder (SOI) - Chair - EU 
{22 Members - 20 Votes) 

(1 NCA) 



Han Chuan Lee- 
ccNSO Observer - 

AAPAC 



Alan Greenberg (SOI)- 
ALAC Liaison - NA 


Carlos Dionisio Aguirre (SOI) - NCA - LAC (AGM 
2012) 








Contracted Party House {6+1} 

Jeff Neuman (SOI) - Vice-Chair - NA 
(AGM 2012) 


Non-Contracted Party House {12+1} 

Wolf-Ulrich Knoben (SOI) - EU 
(AGM 2013) 

Thomas Rickert (SOI) - Voting NCA - EU 
(AGM 2013) 


Lanre Ajayi (SOI) - Voting NCA - AF 
(AGM 2013) 





Registry 

Stakeholder Group 

(3) 

• Registries 


Registrar 
Stakeholder Group 
{3} 

• Registrars 


Commercial 
Stakeholder Group 
{6} 

• Business 

• Intellectual 


Non-Commercial 
Stakeholder Group {6} 

• Non-Commercial 

Users 

• Not-for-Profit 

• Jeff Neuman (SOI) 
-NA (AGM 2012) 

• Jonathan 

Robinson (SOI)- 
EU (AGM 2013) 

• Ching Chiao (SOI) 
-AAPAC (AGM 
2012) 


• St6phanevan 

Gelder (SOI) -EU 
(AGM 2012) 

• Yoav Keren (SOI) - 
AAPAC (AGM 

2013) 

• Mason Cole (SOI) 

- NA (AGM 2013) 


Property 

• Internet Service 
Providers 


Operational 

Concerns 

Constituency 



Commercial and 

Business Users 

• Zahid Jamil (SOI) 
-AAPAC (AGM 
2013) 

• John Berard (SOI) 

- NA (AGM 2012) 

Intellectual Property 

Interests 

• Brian Winterfeldt 
(SOI) - NA (AGM 
2013) 

• David Taylor (SOI) 
-EU (AGM 2012) 


• Rafik Dammak (SOI) 
-AF (AGM 2013) 

• William Drake (SOI) - 
EU (AGM 2012) 

• Joy Liddicoat (SOI) - 
AAPAC (AGM 2013) 

. Wendy Seltzer (SOI) 
-NA (AGM 2013) 

• Wolfgang 

Kleinwachter (SOI) - 
EU (AGM 2013) 

• Mary Wong (SOI) - 
AAPAC (AGM 2012) 





Internet Service and 

Connection 

Providers 







. Wolf-Ulrich 

Knoben (SOI)- 
EU (AGM 2013) 

• Osvaldo Novoa 
(SOI) - LAC (AGM 
2013) 












































Where ICANN Ended Up ^ECpartnerf 



ICANN 

AT-LARGE 


At-Large Organizational Diagram 


Nominating 

Committee 

Appointees 



• • 


Africa 


Asia-Pacific 


Europe 


Latin America 
& Caribbean 


■ North America 



Seat #15 
Selected by 
At-Large 
Community 



ICANN 

Board 


A L S 


R A L O 


A L A C 


At-Large Structures 


Regional At-Large Organizations At-Large Advisory Committee 


Map is for representational purposes only. 

For more detailed information see the Google Map of the RALOs and ALSes at: http://www.atlarge.icann.org/maps/ 
Full country to region list: http://www.icann.org/en/rneetings/montreal/geo-regions-topichtm 

















Batching - What would you do? iSECpcn-tners 



Batching -What ICANN Decided i s E c partners c 


Test the Batching System: Target Time 

Test Step 1 of 3. Set your target time using the dropdowns below and click Next. 

(Note: Times are shown in UTC and 24 hour format). 

Server Date and Time: 05 Jun 2012 22:17:11:520 UTC 


* Year 

* Month 

♦Day 

♦Hour 

♦Minute 

2012 

jj 

d 

0 J 

0 J 


Next 


Test the Batching System: Generate Timestamp 


Test Step 2 Of 3. Click the Generate button to generate a timestamp. Try to dick as close to your seleded 
target date and time as possible. 



User selected Target Date and Time: 07 Jun 2012,17:13:00 UTC 


* Verification 

Code please enter the verification code from the 
image at right. 


Captcha 

Image 



Generate 























Batching - Our Response 
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Q Batching System Home | TAS - Windows Internet Explorer 


Captcha Validation | TAS - Windows Internet Explorer 


J Test the Batching System: Generate Timestamp 

Test S 

>ossible 

(^) User selected Target Date and Time: 22 Jun 2012 0123:00 UTC 


1 Test Step 2 Of 3. Click the Generate button to generate a timestamp. Trytoclickas close to your selected target date and time as 
possible. 


* Verification 
Code 


I. ..1 

Please enter the verification code from the image at 
right. 




Your Completed Applications Refresh) 












































































































































































Competition and Public Interest 
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amazon 


• • • 


.movie .vi 
.buy 


.mobile -J°y .like 
drive .amazon 


.kindle 

.call 
.you 


.silk 

.music .store dev moi .news 

fac* -P |a y ' .deal 

.group Tast box .got .kids f ree 

.mail .now cjrc(e -jot 

.book .fire .cloud 


.imdb 


.bot 


.tushu 
coupon .pay 
.aws a PP .audible .hot .author .wow 
.game .zero .safe 


.map 
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Most new gTLDs could be closed shops 

Kevin Murphy, June 21,2012, Domain Registries 

ICANN’s new generic top-level domain program could create almost 
900 closed, single-user namespaces, according to Dl PRO’S 
preliminary analysis. 

Surveying all 1,930 new gTLD applications, we’ve found that 912 - about 
47% - can be classified as “single registrant” bids, in which the registry 
would tightly control the second level. 

Single-registrant gTLDs are exempt from the Registry Code of Conduct, 
which obliges registries to offer their strings equally to the full ICANN- 
accredited registrar channel. 

The applications include those for dot-brand strings that match famous 
trademarks, as well as attempts by applicants such as Amazon and 
Google to secure generic terms for their own use. 


Amazon.com's domain power 
play: We want to control them all 

The e-commerce giant is applying for 76 new top-level domains -- 
and you won't be able to register any of them. What exactly does it 
have up its sleeve? 

by Paul Sloan I June 21, 2012 4:00 AM PDT 
Follow @paulsloan 

If Amazon.com gets its way -- and that's still a big "if' -- it will soon control 76 new domain 
extensions on the Internet. Most observers had expected the company to apply for .amazon 
and .kindle, but it seems that was just for starters: Amazon's ambitions also include a host of 
generic terms, including the likes of .free, .like, .game, and .shop. 
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New gTLDs: Competition or Concentration? Innovation or Domination? 

by Phil Corwin in Categories: new gTLDs 

This guest post was writting by Phil Corwin. Mr. Corwin is Founding Principal of the Virtualaw LLC 
consultancy and serves as Of Counsel to Greenberg & Lieberman and as for the Internet Commerce 
Association (ICA), all located in Washington, DC. This post is his personal opinion. 

Expect the unexpected. Because it will happen. And it has just happened in the application phase of ICANN's new gTLD 
program, with potentially profound consequences for the future of e-commerce. 

During the three year period between the June 2008 ICANN Board approval of the new gTLD program and its June 2011 vote to 
proceed to the application stage, and even beyond then in the context of continuing GAC-Board discussions, only one 
competition issue ever became the subject of heated and protracted debate. And that was whether ICANN’s requirement for 
registry-registrar separation should be relaxed in concert with the new gTLD program, a question that ICANN eventually 
answered in the affirmative notwithstanding resistance from some members of the GAC. 
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Homograph! 
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Top Level Websites 


• Supposed to be outlawed 

• How do you represent them 

• http: //a i 

• http://ai . 

• http://ai/ 

• AC has address 193.223.78.210 

• Al has address 209.59.119.34 

• BT has address 192.168.42.202 

• CM has address 195.24.205.60 

• DK has address 193.163.102.24 

• GG has address 87.117.196.80 
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